Logging and Alerting in a Hybrid Environment

New Contributor

So, I am working in a company where we are re-vamping the entire concept of how we do security, to include a centralized SOC/CERT at the company HQ-level, who are responsible for bringing logging in from ALL of our divisions and subsidiaries; translating those events into a common operational picture of the current state of alerts and events across the company; and investigating alerts and events that would indicate a security incident.


We are going all-in on establishing a data lake where these events would be coming in, stored and analyzed. Still not sure about using Sentinel or going another route. My question to the team here...is there a definitive document or documents from MS that says, "these are the minimum logs you would want/need" for effective monitoring of a hybrid, on-prem, multi-cloud provider environment?


A centralized, best practices documents or series of would be ideal!

1 Reply
Hello Edwin,

There is not a single document with this info, by I hope the options below will help you:

Sentinel Best Practices (talks about some logs that should be collected - regardless if on-prem or not)

Security Best Practices: this one looks for sec best practices on each workload, also cover logging